Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Cybersecurity researchers have uncovered a sophisticated attack campaign that leverages compromised npm and Go packages to deliver a Python-based infostealer malware, further compromising developers’ systems. The attackers cleverly employed VS Code tasks to deploy the malicious code, demonstrating the evolving tactics of threat actors.

The affected software packages, used by millions of developers worldwide, were hijacked using AI-powered vulnerability scanning tools. These tools identified vulnerabilities in the packages that could be exploited for unauthorized access and data exfiltration. Once compromised, the attackers used the packages as a conduit to deliver the Python-based infostealer malware.

For those unfamiliar with the technical aspects, npm is a popular package manager for JavaScript developers, while Go is a programming language used by many software applications. VS Code tasks, on the other hand, are scripts that run within Visual Studio Code (VS Code), a widely-used integrated development environment (IDE). The attackers hijacked these packages to execute malicious code in the context of VS Code tasks.

This attack campaign matters for several reasons. First and foremost, it highlights the potential vulnerabilities in popular software libraries and frameworks used by developers worldwide. Compromised packages can have far-reaching consequences, affecting not just individual systems but entire organizations that rely on them. Moreover, this incident underscores the growing threat posed by AI-powered vulnerability scanning tools, which are increasingly being used to identify and exploit vulnerabilities.

To better understand how this attack works, consider the following: when a developer installs a compromised package via npm or Go, the attackers can execute malicious code in the context of VS Code tasks. This allows them to access sensitive data on the system, including login credentials and other confidential information. The Python-based infostealer malware deployed as part of the attack is designed to extract valuable data from the compromised systems.

The takeaway for developers and organizations alike is that software package vulnerability management must become a top priority. Regularly update packages, use reputable sources, and implement robust security measures to prevent such attacks from succeeding in the future.


Source: The Hacker News — 2026-06-29